Last few weeks I'm trying to improve the security of my Zimbra Collab server. I use open source edition. Release 8.7.2.GA.1736.UBUNTU14.64 UBUNTU14_64 FOSS edition but this is with the 8.7.3 release.
If I test with:
https://www.htbridge.com/ssl -- result is an F
https://www.ssllabs.com/ssltest -- result is an B
How do I get better security?
Weak DH encryption
Forward secrecy - WEAK
Uses common DH primes - I created new ones 3072
The server's Diffie-Hellman parameter is too small. (Non-compliant with NIST, HIPAA and PCI DSS)
The server supports elliptic curves that are considered weak. (Non-compliant with NIST, HIPAA and PCI DSS)
Also this article doesn't get me more secure.
https://wiki.zimbra.com/wiki/How_to_obt ... urity_Test
Disabling the weak ciphers can create problem with some applications I found on google. I didn't disable:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 1024 bits FS WEAK
Enable Strict Transport Security (HSTS) & Session resumption (caching)
zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
Result of test website is HSTS is not active....?
Also a set of guidelines:
Also I tried to improve the NGINX config files as indicated on several sites, incl Zimbra.
Please help and advice!
- Zimbra Collaboration 9.0.0 now available. Read the release notes.
- Zimbra Collaboration 8.8.15 LTS now available. Read the release notes.
- Are you a Zimbra Developer? You can find some interesting stuff in our Official GitHub, Blog and the Community Github.
- Zimbra is Open Source! Read the FAQ. You can also contribute and build binary from source!
Discuss your pilot or production implementation with other Zimbra admins or our engineers.
1 post • Page 1 of 1
Who is online
Users browsing this forum: Google [Bot] and 17 guests